​Cyber Insurance is a relatively new type of coverage designed to help protect businesses and individual users from risks related to information technology infrastructure and activities. But what does this mean? More importantly, do
you need it?

Let me begin by admitting that my knowledge of Cyber Insurance was once quite limited. This was also true of most physicians I spoke to: few seemed to understand what Cyber Insurance is, or why it might be necessary.

In order to advise members on their potential need for Cyber Insurance, I had to understand it better myself. So I did some research and asked lots of questions. The results were revealing.

Generally speaking, any individual or business entity that collects any type of electronic data about people should seriously consider buying Cyber Insurance — it is likely one of the biggest gaps in insurance coverage today.

“​ Any individual or business entity that collects any type of electronic data about people should seriously consider buying Cyber Insurance.

But the decision as to whether you or your practice/clinic have some sort of potential liability exposure comes down to one simple question:
Are you ever responsible for collecting or recording a patient's personal, financial, family or medical information in an electronic format? If the answer is yes, then you have a cyber liability exposure, and you should think about adding Cyber Insurance to your commercial property and liability insurance for your clinic or practice.

Cyber Crime Happens

Over the past two years, health care, retail, and financial services industries around the world have been targets of massive attacks by cyber criminals.1 In 2014, medical records accounted for 43% of all data stolen in the United States alone.2

Although health care is one of the leading sources of cyber claims, hacking, identity theft, and breach of privacy information in North America, you may feel you have little reason to be concerned. For instance:

You or your group use an electronic medical record (EMR), it has built-in security features, and the data collected is secure.

You use the hospital or clinic network and responsibility for patient data storage is in the hands of a third party that is contractually obligated to safeguard all such information.

Most Cyber Insurance claims originate in the United States and target credit card information, which is not really an issue for Ontario physicians.

While these statements are partially valid and may imply a sense of security, you are only protected as long as:

Your staff, or ex-staff, do not intentionally reveal confidential patient information (e.g., for personal gain, or out of spite).

A computer virus never compromises your data or inadvertently provides an unauthorized third party with access to your computer system.

You never get hacked.

It is important to note that, according to the various privacy laws under which we all operate, an unintentional disclosure of private information can have many of the same consequences as a deliberate disclosure or computer hack.

“​ An unintentional disclosure of private information can have many of the same consequences as a deliberate disclosure or computer hack.

Cyber Insurance is a relatively new type of coverage designed to help protect businesses and individual users from risks related to information technology infrastructure and activities. But what does this mean? More importantly, do you need it?

Cyber Claims: Good News An​​d Bad News

The good news is that damages and claims from outside parties against physicians as a result of cyber attacks or data breaches have not yet amounted to any significant losses in Canada. But there's also some bad news:

Costs and dam​ages

Costs and damages are more likely to increase than to decrease. At the recent NetDiligence Forum on Cyber Risk and Privacy Liability, held in Toronto, attendees were told that the "dark web" (that part of the Internet that is not accessible via conventional search engines, and often acts as a conduit for illegal activities) is so full of stolen Canadian identities that they're sold at a discount. Hacking and computer breaches are reported to have exceeded drug distribution as the largest criminal business (ranked by dollars) in the world. These are indications of growing criminal activity that is starting to cost the economy increasing sums of money.3 Moreover, it is likely that those entities found to have been fully or partially responsible for allowing the hacking to have occurred will be made to pay for some of the costs.

Your ​​​reputation — and your money

Like most small businesses, the real cost of a privacy breach in a medical clinic or practice is the negative affect it can have on your personal reput​​ation, which may in turn result in lost patients and less growth in the future. There is, of course, also a financial cost: you must notify all your patients that their information may have been compromised, and you have to do it quickly. Once you factor in staff time, forensic investigation expenses, and loss-of-business costs, the notification process may end up costing you several dollars per patient file, which can translate to a substantial financial hit.

​​Sources ​​of cyber claims

While hacking still accounts for just under 30% of cyber incidents, the sub-contractors hired to safeguard your computer system — whether they be security experts or network managers — account for 15% of claims, while "employee negligence" and "insider theft" each account for about 10% of claims.1

What's Co​​vered?

Clearly, you do not have to be found ultimately at fault to incur real costs and reputational damage as a result of a cyber breach: simply being accused can hurt you both professionally and financially. This is why you should consider getting Cyber Insurance.

“​ Simply being accused [of a cyber breach] can hurt you both professionally and financially.

It also covers cyber extortion and crisis management expenses — both of which help you deal with circumstances beyond your control or expertise.

Cyber extortion is when an individual or group uses email to threaten your computer system unless you pay a "ransom." Cyber extortionists usually send an email stating that they have, or have access to, confidential information and will exploit a security leak, or launch an attack that will harm your computer network or release information, unless they are paid a sum of money by a specific period of time. Many Cyber Insurance policies now include both coverage for this type of claim and, more importantly, access to experts who can help you manage the situation.

Crisis management experts can help you sort through the steps necessary to meet your legal requirements and to minimize damage to your practice and reputation in the event of a data breach.

A key part of both these services is that insurers will typically contract legal representation for you, meaning that anything you discuss is protected by lawyer-client confidentiality, and will be kept private.

More Information

Cyber Insurance is a dynamic coverage that will evolve over time to address the way we manage our communications and data storage.

Traditional liability coverage both excludes electronic data and records and fails to provide access to the important services that make Cyber Insurance a great option to address a growing insurance gap.

But do
you need it? To answer that question, stop and consider how you, your patients, and your clinic or practice would be affected in the event of a cyber breach. If you're still not sure and want some advice, contact OMA Insurance — we're here to help.

The OMA Insurance Office & Clinic program includes an option to add cyber liability coverage for about $100, and Hub International also offers an expanded version of the policy for less than $300. The staff at HUB are available to discuss your situation in more detail. Hub can be reached directly at 1.855.662.0500, or through their special OMA website at http://oma.hubinternational.com/commercial-insurance/